Palo Alto PAN-OS Flaw CVE-2026-0300 Under Active Exploitation

Palo Alto Networks has issued an urgent security advisory regarding a critical buffer overflow vulnerability, tracked as CVE-2026-0300, affecting multiple versions of PAN-OS software. The flaw exists in the GlobalProtect gateway component and enables unauthenticated remote attackers to execute arbitrary code with root privileges. Security researchers at Unit 42 have confirmed active exploitation in the wild, classifying this as a zero-day vulnerability requiring immediate attention. Affected versions include PAN-OS 10.2 prior to 10.2.11-h4, PAN-OS 11.0 prior to 11.0.6, and PAN-OS 11.1 prior to 11.1.3.

The vulnerability stems from improper bounds checking in the SSL-VPN authentication processing module. Threat actors are leveraging this flaw to deploy custom malware payloads on compromised firewall appliances, effectively turning security infrastructure into attack vectors. According to threat intelligence from the Shadowserver Foundation, exploitation attempts have been observed from multiple threat clusters, including suspected state-sponsored activity consistent with APT5 (aka MANGROVE BREEZE). The attackers are targeting primarily government and defense contractor networks, as well as financial institutions across North America and Europe.

Palo Alto Networks has released emergency patches addressing this critical flaw. Security teams should immediately update to PAN-OS 10.2.11-h4, 11.0.6, or 11.1.3. As an interim mitigation, organizations can disable GlobalProtect gateway features if not operationally required. The company's PSIRT team recommends monitoring for Indicators of Compromise including unusual outbound connections from firewall management interfaces and suspicious XML parser activity in system logs. Organizations unable to patch immediately should implement strict access controls on the management plane and enable threat prevention profiles blocking known malicious IP ranges.